[SOLVED] Find all outbound traffic (Ubuntu Server)

JoseCuervo · 02-26-2013, 12:37 AM

Hello, the iptables that I created for my Ubuntu server has a gloabl deny rule that prevents Ubuntu from accessing the internet, and prevents windows computers on the network from seeing the Samba share I created. I have tried to use tcpdump to see what exactly I need to allow through the firewall, but the data is overwhelming. How can I parse the tcpdump information to show me what Ubuntu is doing, and what I need to allow? I'm completely new to this, I only learned Samba, iptables, vim, and pretty much Ubuntu in general in the last few days. That said, I can follow instructions and references fairly well.

My current iptables.rules:

Code:

# Generated by iptables-save v1.4.12 on Sun Feb 24 11:30:47 2013

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

##### Accept established traffic & loopback traffic
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

##### Accept Samba traffic from local network
-A INPUT -p udp -s 192.168.0.0/24 -m udp --dport 137 -j ACCEPT
-A INPUT -p udp -s 192.168.0.0/24 -m udp --dport 138 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT

##### Accept SSH connections only from Viki
-A INPUT -s 192.168.0.0/24 -p tcp -m state --state NEW -m mac --mac-source 1C:6F:65:C6:5D:37 -m tcp --dport 22 -j ACCEPT

##### Accept Minecraft from local network only, for now
-A INPUT -s 192.168.0.0/24 -p tcp -m state --state NEW -m tcp --dport 25565 -j ACCEPT

##### Reject all other INPUT traffic
#-A INPUT -j REJECT

##### Reject all forwarded traffic
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

###### Allow OUTPUT on port 80
-A OUTPUT -d 91.189.92.200/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -d 91.189.91.13/32 -p tcp -m tcp --dport 80 -j ACCEPT

##### Allow Ubuntu to access update sites
-A OUTPUT -p tcp --dport 80 -d security.ubuntu.com -j ACCEPT
-A OUTPUT -p tcp --dport 80 -d us.archive.ubuntu.com -j ACCEPT

##### Allow any OUTPUT traffic on the network
-A OUTPUT -d 192.168.0.0/24 -j ACCEPT

##### Reject all other OUTPUT traffic
#-A OUTPUT -j REJECT

COMMIT
# Completed on Sun Feb 24 11:30:47 2013

I just need a way to find out what it is I'm not allowing through so that I can uncomment my global deny rules for INPUT and OUTPUT. My end goal is to lock this server to the exact minimum necessary. Thanks in advance!

So I just installed and ran wireshark on my Ubuntu VM, and then connected my windows 7 computer and played a show over the network (from Ubuntu to Windows). Wireshark showed 1700 packets in about 15 seconds, is that right? They were all between two IP addresses, which are the VM and host I'm guessing.

JoseCuervo · 02-26-2013, 03:07 AM

After watching wireshark for a while I realized that the Ubuntu VM I was using wasn't using the same addresses as the iptable rules had stipulated. I've modified them, and it seems to be working atm.

unSpawn · 02-26-2013, 06:06 AM

Quote:

Originally Posted by JoseCuervo

I have tried to use tcpdump to see what exactly I need to allow through the firewall, but the data is overwhelming. How can I parse the tcpdump information to show me what Ubuntu is doing, and what I need to allow? (..) I just need a way to find out what it is I'm not allowing through so that I can uncomment my global deny rules for INPUT and OUTPUT. My end goal is to lock this server to the exact minimum necessary.

The easiest way is to add LOG target rules before you DROP or REJECT, for example in the filter table INPUT chain:

Code:

-A INPUT -m state --state INVALID -j LOG --log-prefix "IN_drop_inv "
-A INPUT -m state --state NEW -j LOG --log-prefix "IN_drop_new "
-A INPUT -j REJECT

Quote:

Originally Posted by JoseCuervo

(..) They were all between two IP addresses, which are the VM and host I'm guessing.

Commands like

Code:

ifconfig -a
ip link show
arp -a

and else router (DHCP daemon) logs, arpwatch or arphound should all be able to tell you about local addresses and those in use in your LAN so there's no need to "guess".

JoseCuervo · 02-27-2013, 02:22 AM

Thanks unSpawn, all of those commands are useful to know. I'm unfortunately new enough that I'm asking a lot of questions, but learning fast enough that I seem to stumble onto an answer just as someone is explaining things to me. In case anyone else reads this thread and needs newbie level guidance, what I managed to do with a lot of suggestions from this site was run:

Code:

sudo tcpdump -w capturedPackets.log

which captured all of the traffic my system was seeing. I let it run for about ten minutes, made sure to do all of the things that I wanted my server to do such as updates and serving files with Samba, and then hit Control-C to end the tcpdump capture. Then I used

Code:

sudo wireshark capturedPackets.log

to examine the details of all of the traffic that I had captured. Wireshark incorporates filters that let me slowly eliminate traffic that I recognized, until I was left with what I had to allow through the firewall.